09-10-2010 06:32 AM
Hi,
I have implemented an IronPort in Proxy Mode. It´s working fine.
The only problem is when the clients access to sites that asked HTTPS certificate (attached example).
How I can solve this problem for this to be transparent to all customers?
Regards.
Jaime.
09-14-2010 08:27 PM
The site example you provided is a bank.
For bank site, it is best to configure for pass through policy through custom url category.
09-15-2010 06:03 AM
Hi,
Why is it better to leave bank sites as pass through policy?.
How do I do with other HTTPS sites?
Regards,
Jaime.
09-15-2010 08:29 PM
I attach here picture samples of steps you can do if the WSA is using self signed certificate.
You can download the certificate on the WSA from the Security Services > HTTPS Proxy > Select Edit settings, and download the certificate.
The certifiocate will be in pem format, and need to be converted to DER format, so you can use with the browser.
You can use openssl to convert PEM to DER format. Someone wrote a good document here http://tinyurl.com/d3yr8
Once you have the DER format certificate, install the certificate to the browser trusted root certification authorities store.
This will allow your browser to trust the certificate on the WSA.
This will work as long as the certificate form the real website has no actual issues on it (expired, unknown) , and the only issue is to overcome the certificate on the WSA not trusted by your browser to do https proxy.
I hope this information helps you.
Regards
09-16-2010 07:51 AM
Thanks for your information. I will do the test in client.
Regards,
Jaime.
09-21-2010 05:11 PM
Hi,
When the Ironport intercept HTTPS traffic will not store important information of the users?, As keys for example.
I could not find information.
Regards.
Jaime
09-22-2010 10:26 PM
Hello Jaime,
The ironport will not store user keys. It only keeps user tcp session, until the session is timed out.
Regards,
09-23-2010 05:54 AM
Thanks.
A query, why in a previous answer you say that banking sites is best to set as pass through policy?.
Regards,
Jaime
09-23-2010 09:40 PM
I guess if you are donig decryption of https, I am more wondering if your end users will really be happy to have their supposed encrypted traffic to banking be going through the WSA.
In the end it is up to your security policy, and end user acceptance of how you are implementing your proxy.
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide